Hi, >> I am not so sure many servers support it, though. My latest data, >> unfortunately, is not evaluated yet. But in 2011 the difference between >> switching on SNI and connecting without it, was pretty meagre across the >> Alexa range. Granted, many of those hosts may not be VHosts. >> >> Does Google have better data on that? > > I think you're testing that wrong. The major websites run one website > at multiple IPs - not multiple websites at a single IP. So connecting > with/without SNI will usually get you the same result.
To clarify: we did not hunt SNI-enabled sites. We were after cases where a server on the Alexa lists shows the default certificate for another site, but will show the correct one if SNI is enabled. We thus did two scans back then, one with and one without SNI enabled, and determined whether we saw different certificates for some domains. In the setup you describe, we'd fully expect the same certs -- and I agree it seems to be the much more prevailing setup. > You want to test the Alexis 2,000,000 - 3,000,000 sites and see if you > get a different result - hit shared hosting sites, where multiple > sites run on a single IP. Ideally, I'd combine an IP scan with DNS information from zone files (which we have, but I don't have the time to do it). > [0] https://en.wikipedia.org/wiki/Server_Name_Indication Yes, but our scans back then did not determine deployed server versions. Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography